Commit Graph

186 Commits

Author SHA1 Message Date
James Carter
b11ffdd290 Updated libsepol and secilc ChangeLogs.
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
2015-06-22 10:04:26 -04:00
James Carter
3e4a902010 libsepol/cil: Add CIL bounds checking and reporting.
Use the libsepol bounds checking to check for and report user and
role bounds violations.

For type bounds checking, use libsepol bounds checking to determine
if there is a violation for a given type. For each violation display
an error message that includes the CIL AST from the root node to the
node of the rule causing the violation.

Example error report:
Child type b_t3_c exceeds bounds of parent b_t3
  (allow b_t3_c b_tc (file (write)))
    <root>
    booleanif at line 148633 of cil.conf.bounds
    true at line 148634 of cil.conf.bounds
    allow at line 148636 of cil.conf.bounds
      (allow b_t3_c b_tc (file (read write)))

Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
2015-06-22 10:03:16 -04:00
James Carter
bea07710d0 libsepol/cil: Track number of classes and number of types and attributes.
These values are stored in the CIL db so they can be used to
determine how much memory is needed for mapping libsepol values
to CIL data.

Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
2015-06-22 10:03:16 -04:00
James Carter
beb01ceb49 libsepol/cil: Refactored CIL neverallow checking and reporting.
Use the libsepol neverallow checking to determine if a given neverallow
rule is violated. If a violation is found, use the function
cil_find_matching_avrule_in_ast() to find the AST node of the particular
rule that violates the neverallow. This allows CIL to provide a more
informative error message that includes the file and line number of the
node and all of its parents.

Example error report:
Neverallow check failed at line 31285 of cil.conf.neverallow
  (neverallow typeset4 self (memprotect (mmap_zero)))
    <root>
    booleanif at line 152094 of cil.conf.neverallow
    true at line 152095 of cil.conf.neverallow
    allow at line 152096 of cil.conf.neverallow
      (allow ada_t self (memprotect (mmap_zero)))

Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
2015-06-22 10:03:16 -04:00
James Carter
f9bdf580b8 libsepol/cil: Add function to search the CIL AST for an AV rule.
The search will be considered a success if any rule is found that
at least partially matches all parts (src type, tgt type, and class-
perms) of the target rule.

For example, for a target of (allow domain file_type (file (read write)
the rule (allow init_t init_exec_t (file (read exec)) will match.

Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
2015-06-22 10:03:07 -04:00
James Carter
798faf1227 libsepol: Refactored bounds (hierarchy) checking code
The largest change to the user and role bounds checking was to put
them in their own functions, so they could be called independently.

The type bounds checking was changed to check one type bounds at
a time. An expanded avtab is still created, but now only the rules
of the parent type are expanded. If violations are discovered,
a list of avtab_ptr_t's provides details. This list is used to
display error messages for backwards compatibility and will be
used by CIL to provide a more detailed error message.

Memory usage is reduced from 9,355M to 126M and time is reduced
from 9 sec to 2 sec.

Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
2015-06-22 09:44:55 -04:00
James Carter
9e6840e6a2 libsepol: Refactored neverallow checking.
Instead of creating an expanded avtab, generating all of the avtab
keys corresponding to a neverallow rule and searching for a match,
walk the nodes in the avtab and use the attr_type_map and ebitmap
functions to find matching rules.

Memory usage is reduced from 370M to 125M and time is reduced from
14 sec to 2 sec. (Bounds checking commented out in both cases.)

Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
2015-06-22 09:44:55 -04:00
James Carter
88d09b6979 libsepol: Treat types like an attribute in the attr_type_map.
Types are treated as attributes that contain only themselves. This
is how types are already treated in the type_attr_map.

Treating types this way makes finding rules that apply to a given
type much easier. This simplifies the implementation of neverallow
checking in assertion.c and bounds checking in hierarchy.c.

Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
2015-06-22 09:44:55 -04:00
James Carter
49f7ebb04c libsepol: Add new ebitmap function named ebitmap_match_any()
This function returns true if there is a common bit that is set
in both bitmaps.

Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
2015-06-22 09:44:55 -04:00
Stephen Smalley
8282ec48d2 Update checkpolicy and libsepol ChangeLogs.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2015-06-15 09:23:20 -04:00
Jeff Vander Stoep
915fa8f08f checkpolicy: switch operations to extended perms
The ioctl operations code is being renamed to the more generic
"extended permissions." This commit brings the policy compiler
up to date with the kernel patch.

Signed-off-by: Jeff Vander Stoep <jeffv@google.com>
2015-06-15 09:21:20 -04:00
James Carter
a24fc044f4 Update libsepol ChangeLog.
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
2015-05-29 09:54:15 -04:00
Steve Lawrence
11fccc48cd libsepol: with pp to CIL, always write auditadm_r and secadm_r roles
to the base module

In fedora and refpolicy, the auditadm_r and secadm_r roles can be in
either the base module or a non-base module, or they could be in both.
This means that it is possible for duplicate role declarations to exist.
CIL does not allow duplicate declarations of anything, but there is no
way for the pp compiler to know if the roles are declared in which
module, or if they are in both when compiling a single module. This
means we cannot use the same hack that we use for user_r, staff_r, etc.,
to generate CIL role declarations (i.e. only create role declarations
for these when defined in base).

So only for these two roles, always declare them as part of base,
regardless of where or if they are defined. This means that turning off
the auditadm module will never remove the auditamd_r role (likewise for
secadm), whereas right now, in some cases it would. This also means that
role allow rules will still exist for these roles even with the modules
removed. However, this is okay because the roles would not have any
types associated with them so no access would be allowed.

Signed-off-by: Steve Lawrence <slawrence@tresys.com>
Reported-by: Miroslav Grepl <mgrepl@redhat.com>
2015-05-29 09:46:25 -04:00
Steve Lawrence
54b3e9b946 libsepol: with pp to CIL, only associate declared roleattributes with
in-scope types

When a roleattribute is in a declared scope, CIL roletype statements are
generated for all types associated with it. This incorrectly includes
types that are associated with the roleattribute in optional blocks,
which can result in CIL resolution failures if the optional block is
turned off due to a missing type. So, change the roletype CIL statement
generation with roleattributes to mimic the behavior of roles, ensuring
declared roleattributes are only associated with in-scope types.

Signed-off-by: Steve Lawrence <slawrence@tresys.com>
Reported-by: Miroslav Grepl <mgrepl@redhat.com>
2015-05-29 09:45:59 -04:00
James Carter
7436598fb0 Update libsepol ChangeLog.
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
2015-05-27 14:02:17 -04:00
Yuli Khodorkovskiy
1e2b2e57e5 libsepol/cil: Do not allow categories/sensitivities inside blocks
Fixes https://github.com/SELinuxProject/cil/issues/2.

Sensitivities and categories generated from blocks use dots to indicate
namespacing. This could result in categories that contain ambiguous
ranges with categories declared in blocks.

Example:

    (category c0)
    (category c2)
    (block c0
        (category (c2))
        (filecon ... (s0 (c2)))
    )

The above policy results in the filecontext: ... s0:c0.c2. The categories c0.c2
could be interpreted as a range between c0 and c2 or it could be the namespaced
category c0.c2. Therefore, categories are no longer allowed inside blocks to
eliminate this ambiguity.

This patch also disallows sensitivites in blocks for consistency with category
behavior.

Signed-off-by: Yuli Khodorkovskiy <ykhodorkovskiy@tresys.com>
2015-05-27 14:00:01 -04:00
James Carter
17381435f8 Update libsepol ChangeLog.
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
2015-05-08 11:03:13 -04:00
James Carter
8ebb97d0be Replace fmemopen() with internal function in libsepol.
Created a new function, get_line(), to replace the use of fmemopen()
and getline() in module_to_cil.c since fmemopen() is not available
on Darwin.

Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
2015-05-08 10:58:09 -04:00
James Carter
9ab426eea1 Update libsepol ChangeLog.
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
2015-05-05 16:08:41 -04:00
Yuli Khodorkovskiy
c3345c58a4 libsepol/cil: Verify users prior to evaluating users
If a userlevel or userrange statement is missing from a policy,
evaluate_level_expression() and evaluate_levelrange_expression, respectively
will have a NULL pointer dereference caused by a missing level in a user.

Add cil_pre_verify() which verifies users have a valid level. Also, move loop
checking in classpermissions into cil_pre_verify().

This fixes https://github.com/SELinuxProject/cil/issues/1.

Signed-off-by: Yuli Khodorkovskiy <ykhodorkovskiy@tresys.com>
2015-05-05 16:00:03 -04:00
Stephen Smalley
994db9d390 Update libsepol ChangeLog.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2015-04-24 14:32:01 -04:00
Stephen Smalley
7c912dbc7c libsepol: Binary modules do not support ioctl rules.
Prevent writing a binary policy module if the source
included an ioctl operation rule because we do not support ioctl
operation rules in the binary module format.  It doesn't seem
worthwhile to introduce a new binary policy module version since
CIL is now merged and we will have to implement the support in CIL
regardless; might as well only support it in CIL modules.

Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2015-04-24 14:24:04 -04:00
Stephen Smalley
a2ceeba03c Update libsepol and checkpolicy ChangeLogs.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2015-04-23 08:33:18 -04:00
Jeff Vander Stoep
80bc7ee8fa Add support for ioctl command whitelisting
Adds support for new policy statements whitelisting individual ioctl
commands. Ioctls provide many of the operations necessary for driver control.
The typical driver supports a device specific set of operations accessible
by the ioctl system call and specified by the command argument. SELinux
provides per operation access control to many system operations e.g. chown,
kill, setuid, ipc_lock, etc. Ioclts on the other hand are granted on a per
file descriptor basis using the ioctl permission, meaning that the set of
operations provided by the driver are granted on an all-or-nothing basis.
In some cases this may be acceptable, but often the same driver provides a
large and diverse set of operations such as benign and necessary functionality
as well as dangerous capabilities or access to system information that should
be restricted.

Example policy:
allow <source> <target>:<class> { 0x8900-0x8905 0x8910 }
auditallow <source> <target>:<class> 0x8901

The ioctl permission is still required in order to make an ioctl call. If no
individual ioctl commands are specified, only the ioctl permission is
checked by the kernel - i.e. status quo. This allows ioctl whitelisting to
done in a targeted manner, protecting desired drivers without requiring every
ioctl command to be known and specified before use and otherwise allowing
existing policy to be used as-is.

This only implements ioctl whitelisting support for monolithic kernel policies
built via checkpolicy. Support for modules and CIL remains to be done.

Bug: 19419509
Change-Id: I198e8c9279b94d8ce4ae5625018daa99577ee970
Signed-off-by: Jeff Vander Stoep <jeffv@google.com>
Acked-by:  Stephen Smalley <sds@tycho.nsa.gov>
2015-04-23 08:30:33 -04:00
Stephen Smalley
c304a7d82e Update libsepol ChangeLog.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2015-04-16 07:53:29 -04:00
Yuli Khodorkovskiy
16796d8dc1 libsepol: Don't use symbol versioning for static object files
Libraries such as libqpol that link with libsepol statically do not understand
the symbolic versioning in libsepol. This patch disables the symbolic versioning
in libsepol if building the static library or building for Android.

Signed-off-by: Yuli Khodorkovskiy <ykhodorkovskiy@tresys.com>
Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
Acked-by: Steve Lawrence <slawrence@tresys.com>
2015-04-15 15:20:20 -04:00
Stephen Smalley
cacf51cef0 libsepol, secilc: Fix build for Android
The Android build does not like the symbol versioning introduced
by commit 8147bc7; the build fails with:
host SharedLib: libsepol (out/host/linux-x86/obj/lib/libsepol.so)
prebuilts/gcc/linux-x86/host/x86_64-linux-glibc2.15-4.8//x86_64-linux/bin/ld: error: symbol cil_build_policydb has undefined version
prebuilts/gcc/linux-x86/host/x86_64-linux-glibc2.15-4.8//x86_64-linux/bin/ld: error: symbol cil_build_policydb has undefined version LIBSEPOL_1.1
clang: error: linker command failed with exit code 1 (use -v to see invocation)

Omit the versioned symbols and simply use the current interfaces
when building on Android.

Commit 36f62b7 also broke the Android build by moving secilc out of
libsepol, because the libsepol headers were not installed by the Android.mk
file.

Export the required libsepol headers for use by secilc and adjust secilc
to pick them up from the right location on Android.

Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2015-04-02 12:01:10 -04:00
James Carter
c0064fb732 Update ChangeLogs.
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
2015-04-02 10:52:25 -04:00
James Carter
4514332550 libsepol: add function to generate CIL from a module policydb
Add a new function, sepol_module_policydb_to_cil, that generates
CIL from a module (not kernel) policydb. Refactor
sepol_module_package_to_cil() to use the new function.

Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
2015-04-01 13:09:21 -04:00
James Carter
758a7fe501 libsepol, policycoreutils: Move functions to convert a module package to CIL
Move code to convert a policy module to CIL from the policy package to
CIL conversion tool, pp, in policycoreutils to libsepol. The only changes
to the code are the additions of the prefix "sepol_" to the functions
sepol_module_package_to_cil() and sepol_ppfile_to_module_package(). This
code is being changed from GPL to LGPL with permission from Tresys.

Convert pp to use the renamed functions in libsepol.

Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
2015-04-01 13:09:17 -04:00
Stephen Smalley
a94cfaebfc Update libsepol ChangeLog.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2015-03-31 12:38:41 -04:00
Yuli Khodorkovskiy
36f62b78f1 libsepol: Move secilc out of libsepol
Since the secilc compiler is independent of libsepol, move secilc out of
libsepol. Linke secilc dynamically rather than statically with libsepol.

- Move secilc source, test policies, docs, and secilc manpage to secilc
  directory.
- Remove unneeded Makefile from libsepol/cil. To build secilc, run make
  in the secilc directory.
- Add target to install the secilc binary to /usr/bin/.
- Create an Android makefile for secilc and move secilc out of libsepol
  Android makefile.
- Add cil_set_mls to libsepol public API as it is needed by secilc.
- Remove policy.conf from testing since it is no longer used.

Signed-off-by: Yuli Khodorkovskiy <ykhodorkovskiy@tresys.com>
2015-03-31 12:31:38 -04:00
Steve Lawrence
78a472da14 Update libsepol ChangeLog 2015-03-23 12:51:33 -04:00
Richard Haines
d03e9373e8 libsepol: Fix building Xen policy with devicetreecon
Problems fixed:
1) Fix core dump when building CIL policy (corrupted double-linked list)
   by Steve Lawrence <slawrence@tresys.com>
2) Binary policy failed to read with devicetreecon statement.
3) Free path name - With a Xen policy running secilc/valgrind
   there are no memory errors.

Also added devicetreecon statement to CIL policy.cil and updated the CIL
Reference Guide.

Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
2015-03-23 12:47:58 -04:00
Stephen Smalley
156c91cab2 Update libsepol ChangeLog.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2015-03-19 14:34:18 -04:00
Thomas Hurd
c046d974c5 libsepol: bool_copy_callback set state on creation
Boolean states are only written on a declaration.
If a module is turned off which includes a tunable declaration that
is required in another module, the state is never set. This patch
sets the state when the booldatum is created so that an uninitialized
memory read does not occur in cond_write_bool and write garbage to
the link binary.  This can cause a failure in cond_read_bool when
running semodule_expand.

Signed-off-by: Thomas Hurd <thurd@tresys.com>
2015-03-19 14:33:47 -04:00
Stephen Smalley
3057bcf6a0 Update ChangeLogs.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2015-03-18 08:37:10 -04:00
Daniel De Graaf
f029067709 libsepol, checkpolicy: add device tree ocontext nodes to Xen policy
In Xen on ARM, device tree nodes identified by a path (string) need to
be labeled by the security policy.

Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>
2015-03-18 08:16:44 -04:00
Daniel De Graaf
82030de5dc libsepol, checkpolicy: widen Xen IOMEM ocontext entries
This expands IOMEMCON device context entries to 64 bits.  This change is
required to support static I/O memory range labeling for systems with
over 16TB of physical address space.  The policy version number change
is shared with the next patch.

While this makes no changes to SELinux policy, a new SELinux policy
compatibility entry was added in order to avoid breaking compilation of
an SELinux policy without explicitly specifying the policy version.

Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>
2015-03-18 08:16:18 -04:00
Steve Lawrence
8147bc7622 libsepol: clean up the CIL API
- No longer require the caller to create a sepol_policydb. CIL is now
  responsible for that
- Since the user is no longer responsible for creating the policydb, two
  functions are added to let CIL know how it should configure the
  policydb, to set the policy version and the target platform
- Some functions, like cil_compile, do not need a policydb. Additionally
  some functions, like cil_filecons_to_string use the policydb, but could
  be rewritten to not require it. In these cases, remove the policydb
  from the API, and rewrite functions so they don't depend on it. The
  only function that uses a policydb is cil_build_policydb
- Add functions and symbolic versioning to maintain binary backwards
  compatability. API backwards compatability is not maintained

Signed-off-by: Steve Lawrence <slawrence@tresys.com>
2015-02-27 08:58:52 -05:00
Steve Lawrence
9532291548 Update libsepol ChangeLog 2015-02-26 08:35:28 -05:00
Richard Haines
c2c2bd34c9 libsepol: Update CIL documentation
Reformat secilc(8) man page for readability and correct url

Remove unused/obsolete info and correct portcon statement in the
Reference Guide.

Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
2015-02-26 08:30:51 -05:00
Steve Lawrence
68f356e21a Update libsepol ChangeLog 2015-02-23 08:25:35 -05:00
Chris PeBenito
e7694874c2 libsepol: Fix error path in mls_semantic_level_expand().
If the level contains a category that is not associated with a sensitivity,
the code correctly detects the condition, but does not return an error.

Signed-off-by: Chris PeBenito <cpebenito@tresys.com>
Acked-by: Steve Lawrence <slawrence@tresys.com>
2015-02-23 08:25:35 -05:00
Steve Lawrence
8222f5551a Update libsepol Changelog 2015-02-18 09:26:44 -05:00
Steve Lawrence
28ae74e112 Merge commit '76ba6eaa7333483a8cc0c73a7880f7acf99c2656' 2015-02-18 09:25:20 -05:00
Stephen Smalley
98d497389b Update libsepol ChangeLog.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2015-02-03 13:36:01 -05:00
Stephen Smalley
00beeba1fc Maybe fix MacOS X build.
s6_addr32 is not portable; use s6_addr instead.

Change-Id: I21c237588d3e7200cefa3af96065f657dae4b1e7
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2015-02-03 13:34:26 -05:00
Stephen Smalley
54075fb3cd Update libselinux and libsepol ChangeLogs.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2015-02-03 11:25:41 -05:00
Stephen Smalley
eea6a900a6 Enable building CIL in the host libsepol.
Enable building CIL as part of the host libsepol.
This will allow using it for host-side policy tools.
Omit it from the device libsepol used for the CTS for now,
unless/until such a time as we find it necessary there.

Also build secilc, the CIL compiler.

Change-Id: I2f04a720d9143a9c84fbab211511f76d82581b0b
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2015-02-03 11:18:44 -05:00